Decoder: Services Config View - General Tab

Document created by RSA Information Design and Development on Nov 23, 2016Last modified by RSA Information Design and Development on Mar 28, 2017
Version 4Show Document
  • View in full screen mode
  

This topic introduces features of the Services Config view > General tab for Decoders and Log Decoders. 

The General tab for a Decoder in the Services Config view provides a way to manage basic service configuration, configure data capture, and select the parsers that are applied to the captured data.

Settings that set up and tune data capture include:

  • Adapter selection
  • Cache specification
  • Capture autostart and other capture parameters that affect cache, sessions, and timeouts
  • Database file sizes
  • Location of the hash directory

The first figure is an example of the General tab for a Decoder. The second is the General tab for a Log Decoder.

ParsConDeTran.png

Services Config View - Log Decoder

Features

These are the four major sections in the General tab for Decoders and Log Decoders:

  • System Configuration
  • Decoder Configuration
  • Parsers Configuration
  • Service Parsers Configuration (Log Decoders only)

System Configuration

The System Configuration section manages service configuration for a Decoder. When a service is first added, default values are in effect. You can edit these values to tune performance.

DecSysCfgSec.png

The System Configuration section has these parameters.

                                 
ParameterDescription
Compression The minimum number of bytes that must be transmitted per response before compression. A setting of 0 disables compression. The default value is 0.
A change in value is effective immediately for all subsequent connections.
Port Determines the port used by the service.

Note: If you change the port number, ensure that you restart the service.

SSL FIPS mode If enabled, all the data transferred in the network will be encrypted using SSL.
SSL Port Indicates the port used for encrypting using SSL.
Stat Update Interval The number of milliseconds between statistic updates on the system. Lower numbers cause more frequent updates and can slow down other processes. The default value is 1000.
A change in value is effective immediately.
Threads The number of threads in the thread pool to handle incoming requests. A setting of 0 lets the system decide.
A change takes effect on service restart.

Decoder Configuration

The Decoder Configuration section provides a way to view and edit service configuration parameters for a Decoder or Log Decoder. When a service is first added, default values are in effect. You can edit these values to manage traffic capture.
DecCfgTop.png

Scrolling to the bottom of the section reveals these additional Decoder Configuration parameters.

DecCfgBottom.png

Adapter

Adapter parameters configure the network interface for capture. The table below describes the Decoder Adapter settings. The default network adapters available are set at installation. Consult your System Administrator for more information.

                 
Adapter ParameterDescription
Berkley Packet Filter Berkeley Packet Filters (BPF) are applied to the packet stream before the packets are copied to the Decoder adapter for analysis. This allows unwanted traffic to be efficiently discarded. However, any packets discarded are not accounted for in any Decoder statistics (capture rate, packets dropped, and packets filtered and total packets).
Capture Interface Selected Select an adapter through which the Decoder captures packets. For the lower speed internal capture interface, use the packet_mmap_,7,eth1 adapter, which corresponds to the monitor port located on the motherboard. There are six additional capture ports:
  • packet_mmap_,1,lo (bpf)
  • packet_mmap_,2,eth2 (bpf)
  • packet_mmap_,3,eth3 (bpf)
  • packet_mmap_,4,eth4 (bpf)
  • packet_mmap_,5,eth5 (bpf)
  • packet_mmap_,8,ALL (bpf)
There are three wireless capture services available:
  • packet_netmon_ (Microsoft Netmon)
  • packet_mac80211_ (Linux mac80211)
  • packet_airport_ (Mac OS X AirPort)

The Decoder also supports system-level packet filtering defined using tcpdump/libpcap syntax. Specifying a Libpcap filter can efficiently reduce packet volume based on Layer 2 ‐ Layer 4 attributes. A Libpcap filter is appropriate for use when a Decoder is receiving a traffic volume that is placing a load against the physical resources of the platform. In this scenario, the Decoder may consistently drop packets and have a large number of capture pages available (/decoder/stats/capture.pagefree is high).
The following is an example of a libpcap filter to keep only packets which do not have both source and destination addresses in the 10.21.0.0/16 subnet.
not (src net 10.21.0.0/16 and dst net 10.21.0.0/16)
For a full reference of the Libpcap filter syntax, see the main pages for:

Cache

Cache parameters configure the cache directory and size for session cache files. The following table describes the cache settings.

                 
Cache ParameterDescription
Cache Directory The directory where session cache files are stored. The default value is /var/netwitness/decoder/cache. Change takes effect immediately.
Cache Size The maximum size, in Megabytes (MB), that all files in the cache directory can attain before the oldest files are deleted. Once the threshold is reached, the cache size is reduced by 10%. The default value is 4 GB. Change takes effect immediately.

Capture Settings

The Capture Settings section provides a way to configure operational capture settings.

Note: By default, no capture rules are defined when you first install Security Analytics. Unless there are rules specified, the packets are not filtered. You can define capture rules before beginning to capture data (see Configure Network Rules, Configure Application Rules, and Configure Correlation Rules).

This table describes the capture settings.

                                                     
Capture Settings ParameterDescription
Assembler Maximum Size Specifies the maximum size in bytes that a session’s packet data size can attain. The default value is 32 MB. Change takes effect immediately.
Assembler Minimum Size Specifies the minimum size in bytes that a session must have in order to generate metadata. A value of 0 means every session has metadata generated. The default value is 0. Change takes effect immediately.
Assembler Session Flush Specifies whether a session is removed from the assembler when the session’s last chain is removed from the assembler. The default value is 1.
  • 2 = if the first packet of a session times out of assembler, the session is removed from assembler after parsing is complete. Any subsequent packets for this session create a new session in assembler.
  • 1 = If the last chain of a session times out of assembler, the session is removed from assembler. Any subsequent packets for this session create a new session in assembler.
  • 0 = If the last chain of a session times out of assembler, the session is left in assembler until it times out. Any subsequent packets for this session are filtered
Change takes effect on service restart.
Assembles Session Pool Specifies the number of entries in the session pool. The default value is 350000. Change takes effect on service restart.
Assembler Timeout Packets Specifies the number of seconds before a packet or chain is timed out. T default value is 60. Change takes effect immediately.
Assembler Timeout Session Specifies the number of seconds before a session is timed out. Default value is 60. Change takes effect immediately.
Capture Autostart Specifies whether capture begins automatically each time Decoder is started. When checked, the value = yes. When unchecked, the value = no. The default value is no. Change takes effect immediately.
Capture Buffer Size The capture memory buffer allocation in Megabytes. Default value is 64 MB. Change takes effect on service restart.
Parse Maximum Bytes The maximum number of bytes to scan a stream for additional tokens. When the first token is found, the stream is scanned up to the set number of bytes, but no further. A setting of 0 removes the early termination and the full stream is scanned regardless of size. The default value is 128 KB. Change takes effect immediately.
Parse Minimum Bytes The minimum number of bytes to scan a stream for the first token. If no token is found within the set number of bytes, scanning is terminated. A setting of 0 removes the early termination and the full stream is scanned regardless of size. The default value is 1 KB. Change takes effect immediately.
Parse Threads The number of parse threads to use for session parsing. A value of 0 means let the server decide. The default value is 0. Change takes effect on service restart.

Database Max File Sizes

The Database Max File Sizes section controls the maximum file size for various databases. The following table describes the parameters.

                     
File Size ParameterDescription
Meta File Size The maximum size in Gigabytes, of the meta database files. The default value is 3 GB. Change takes effect on service restart.
Packet File Size The maximum size in Gigabytes, of the packet database files. The default value is 4 GB. Change takes effect on service restart.
Session File Size The maximum size in Megabytes, of the session database files. The default value is 256 MB. Change takes effect on service restart.

To calculate the drive sizes and free space for the meta, packet, and/or session, for your environment, perform the following:

  1. In the Security Analytics menu, select Administration > Services.
  2. Select a service and select > View > Explore.
    The Service Explore View is opened.
  3. In the Node List select database and right-click and select Properties.
    The Properties panel is displayed.
  4. In the properties panel, from the drop-down list, select reconfig .
  5. In the Parameters field, enter update = false.
  6. Click Send.
    The Response Output displays the drive sizes and free space for the Meta, packet and session.

Hash

Controls data base file hashing options. There is a small performance penalty when hashing. The following table describes the hashing option.

             
Hash ParameterDescription
Hash Directory The server directory where all hash files are written. If empty, each hash file is written to the same directory as the file being hashed. The default value is blank. Change takes effect on service restart.

Parsers Configuration

The Parsers Configuration panel provides a way to select parsers to use on the Decoder. Within some parsers, you can also configure the metadata that the parser creates. 

Security Analytics has the ability to configure individual parsers that do not store generated metadata on disk (Transient option). This helps administrators to protect certain data and is usually done as part of a data privacy plan (see Data Privacy Management).

DecParsCfgSec.png

The following table describes the features of the Parsers Configuration section.

                     
FeatureDescription
Enable All
Disable All
These options provide a way to quickly select either all parsers or no parsers.
Name The names of parsers available to the Decoder. A plus sign indicates that the metadata generated by the parser is configurable. Clicking the plus sign displays the metadata that the parser can create. In the example above, CMS_windows_executable has three selectable metadata that the parser can create: alert.id, error, and filetype.
Config Value A drop-down list changes the setting for the parser or metadata to Enabled, Disabled, or Transient.
  • When Enabled, the Decoder is using the parser to filter traffic.
  • When Transient, the Decoder is using the parser to filter traffic, and the generated metadata is not stored on disk. The transient metadata is available in memory to additional content (that is, parsers, feeds, and application rules) on that Decoder.
  • When Disabled, the Decoder is not using the parser.
If the generated metadata for the parser is configurable, clicking the plus sign to expand the parser displays configurable meta keys and the same drop-down list selects the meta key the parser will create.

Additional Service Parsers Configuration for Log Decoder

The Service Parsers Configuration section provides a way to select Service parsers to use on the Log Decoder.

LDSvcParsCfgSec.png

You are here
Table of Contents > References > Services Config View - General Tab

Attachments

    Outcomes